How to Establish an Effective Information Security Policy

information security policy, fraud with credit cards

While technology has helped to revolutionize the retail industry, the revolution has come with new risks. Internal and external security threats put a company’s data and data systems at risk on a daily basis. As a result, the need to develop an information security policy as part of general operations has become paramount in order to implement protections against these threats.

“Data security” can carry different meanings for different people, and depending on your position in the company and specific area of responsibility, definitions and objectives can vary substantially. However, a common thread exists—the ultimate goal is still to protect the security, confidentiality, integrity, quality and availability of a company’s information assets.

The need for an information security policy is the foundation of any information security program. This policy will be comprised of a set of rules which govern the acceptable use of technical resources, security practices, and operational procedures within the company and the supporting technological environment.

- Sponsors -

Many components make up a strong information security policy, but the most critical are that:

1) Corporate management supports the policy; and
2) The policy aligns information security with the core objectives of the business.

There must be unwavering support by the leaders at the highest level of the organization in order for an information security policy to weave itself into the day-to-day operations of the business. This will only happen if the policy reflects core business objectives.

That policy must be drafted with the primary motive to support the business while providing adequate standards and controls that safeguard the business and its customers.

Some common subject areas found in an information security policy could include, but are not limited to:

  • Employee/management roles and responsibilities
  • Guidelines for acceptable and unacceptable use of company resources (such as Internet and email)
  • Acceptable use of company software and hardware
  • Non-compliance issues
  • Incident management
  • Remote access and mobile computing
  • Information classification guidelines
  • User ID and password standards and management
  • Physical security
  • Data archiving (how often each user should copy information to an archive file) and backup requirements
  • A framework and foundation for governance

Each subject will highlight employee expectations and will include the “do’s” and “don’ts” of information security. Such policies will also set a minimum standard for what controls are to be in place and what practices are required in order to maintain computing systems.

For example, a mobile computing policy might state “Anti-virus software must be installed on all company workstations and servers used for revenue-generating purposes.”

Policy statements can also be used to define acceptable and unacceptable behaviors (For example, “Employees are not permitted to use company systems to download or email objectionable content, such as jokes, chain letters, pornographic materials or other specific file types that are more susceptible to viruses and malicious programs”). Including this type of guideline in an information security policy helps a company limit its risk and propagates positive behaviors which contribute to a safer, more secure computing environment for employees to work and conduct their daily business.

It is important to set some time aside and familiarize yourself with your company’s information security policy. While these policies are becoming more commonplace, practices—as well as the method of delivery—may vary from company to company.

You may believe that you are following information security best practices in your daily activities. However, you may also be surprised to learn that there are important data security policy responsibilities with which you may not have been familiar.

What to Include in an Information Security Policy

As loss prevention professionals, we are exposed to an array of sensitive information every single day. In addition to investigative data and other case-sensitive information, we often have access to financial data, confidential records, sensitive personnel files, contracts, research information and a host of other vital company assets. Every piece of data that we access must be perceived as important and considered a valuable asset, and we must always remain concerned about the safety and integrity of that data.

The corporate world has been hit by a wave of security issues in recent years, exposing severe weaknesses in the strategic practices of the business community to deal with the protection of information assets. Organizations of all sizes can fall victim to what amounts to poor security planning and improper data handling, which ultimately exposes their entire company assets to potential data breaches.

Each of us represents a link in the security chain, carrying a responsibility to maintain the safety and integrity of this information. Safeguarding sensitive data is more than good business; it is a professional responsibility.

A sound information security policy is built on several key principles. First of all, take stock in what you have. Know what information that you have access to in your files.

Second, maintain access only to the information that you need. Limit exposures by managing accessibility (for example, store sensitive information on a company server or other secure location, and not on your laptop), and properly secure or dispose of what you no longer need.

Next, keep information in your care locked down and protected by controlling access to the “front door.” Controlled access can be managed by monitoring and restricting access to your equipment.

Finally, plan ahead. Have a plan to respond to security incidents in the event that they do occur. Knowing how to react and respond will help to limit our exposures and minimize potential risks and damage.

Other security tips that we should follow on a daily basis might include:

  • Keep operating systems updated as necessary and appropriate. The newest version of any operating system is generally the safest. Perform the latest security updates to limit vulnerabilities.
  • Back up your important data on a regular basis, and store it in a separate location to minimize risks of data loss. Any data that hasn’t been backed up is at risk. Audit data storage by conducting trial restores from time to time to ensure that the data is actually being backed up.
  • Install firewalls on computer systems. A firewall is a combination of software and/or hardware that provides a protective barrier between a computer or computer network and the public Internet. It protects your online gateway and blocks unauthorized access to your computer or network.
  • Use anti-virus software on computers. A computer virus is a program designed to copy itself into other programs stored in a computer, infecting and potentially damaging the files that receive it. Some viruses are mild, while others are destructive and can wipe out a computer’s memory or even cause more severe damage. Anti-virus software continuously scans your computer looking for viruses and checks incoming email and websites for potential threats. Updates must be performed regularly in order to stay current and effective.
  • Use spyware protection on computers. Spyware is a type of software that is covertly used to gather personal information as well as monitor user activity and surfing habits; but can also have other potentially harmful consequences such as installing additional software, redirecting browser activity, accessing websites blindly, changing computer settings, slowing connection speeds and otherwise damaging or interfering with user control. Spyware protection must also be updated regularly in order to remain effective.
  • Protect passwords. Weak password protocols are a common security flaw that can increase risks. Change passwords frequently and use a “strong” password that is difficult to guess or decipher. Use a combination of letters, numbers and other characters. Do not share it with others, and resist saving passwords when prompted.
  • Do not open attachments in emails from people or sources that you do not know. Filter out unwanted spam email using spam filter programs when possible. Don’t click on anything in a spam email, even to unsubscribe. If possible, don’t even open it.
  • Take precautions when sending sensitive or proprietary information via email. Password-protect documents when necessary.
  • Only allow staff access to the information that they need to do their job. For example, as employees move within an organization, access privileges can follow and quickly mount. Ensuring that employees only have access to the information appropriate for their current position can be an essential step in avoiding manipulation and/or loss of data.
  • Do not use shared devices (for example, hotel computers) for information that should be protected.
  • When possible, encrypt any digitally stored personal information if it might cause damage or threat if it is lost or stolen. Encryption is the changing of data into code, a procedure that renders the content of a message or file unreadable to anyone not authorized to read it.
  • Audit data storage for security policy enforcement, access control, and proper destruction of appropriate content on a regular basis. Delete information that is no longer necessary, and disable functionality that you don’t need. Do not dispose of old computers until all pertinent information has been securely removed (By authorized technology or destroying the hard disk). Ensure that computers and other equipment are appropriately cleansed (of information, software, etc…) before it is allocated to another employee.
  • Always lock your computer or device when you are away from it. Log off and shut down your computer prior to leaving for the day.
  • Develop and implement appropriate security protocols regarding the use of removable storage devices (such as external hard drives, flash drives, etc.). Such devices can hold significant amounts of information, and should be carefully monitored and tightly controlled.
  • Know how to notify appropriate parties immediately in the event that something (phones, laptops, confidential documents, etc.) is lost or stolen. Understand the appropriate policies and practices, and maintain access to an emergency contact number.
  • Recognize that information security is not just about protecting the technology—it’s also about protecting physical assets, communications, access controls and every aspect of our information networks. This would include the physical security of company premises, proper disposal of confidential paper waste, etc. It is also about ensuring that your staff is adequately trained so that they know what is expected of them as well.

Good security practices do not stop when you leave the office every day; you also take them with you when you travel or work remotely.

In loss prevention, you have exposure to different personnel at varying levels in the organization. Being an advocate for strong security practices and cascading best practices to those around you helps increase awareness and protect information. Individuals need to realize that companies do not solely rely on technology alone to keep a company secure. Following and updating the information security policy is everyone’s responsibility.

By capitalizing on opportunities to enhance our knowledge and education, we are making an investment in our own future. To learn more about developing your leadership skills and the certification process, visit

This post was originally published in 2017 and was updated September 19, 2018. 

Stay Updated

Get critical information for loss prevention professionals, security and retail management delivered right to your inbox.